If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Fake MS email phish delivers Zeus via Java vuln ...

FYI...

Fake MS email phish delivers Zeus via Java vuln ...
- https://isc.sans.edu/diary.html?storyid=14020
Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this emailwill subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microsoft.com/Key-98503...15.C.KK.DlNkNK , which points to the above mentioned services agreement.
(Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
034:034:02:065:071:034"/></applet>
The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
Contemplate disabling Java(5) until the -next- update(6) is released..."

101.5.162.236
101.5.0-255.*
inetnum: 101.5.0.0 - 101.5.255.255
netname: TSINGHUA-CN
country: CN
origin: AS4538http://www.google.com/safebrowsing/d...c?site=AS:4538
... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
___

Fake Amazon email exploits recent Java vuln ...

FYI...

Fake ‘Amazon order’ email exploits recent Java vuln ...
- http://community.websense.com/blogs/...erability.aspx
03 Sep 2012 - "... Websense... has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit. If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data. Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681*)... On 1st September, Websense... intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
> http://community.websense.com/cfs-fi...2D00_550x0.jpg
Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit... an analysis of this file can also be found on VirusTotal**..."

Fake Google email contains a trojan ...
- http://h-online.com/-1698349
04 Sep 2012 - "Unknown attackers are attempting to persuade email recipients to open attachments that contain a trojan by claiming to be from The Google Accounts Team. A new email supposedly from "accounts-noreply @google .com" with the subject "Suspicious sign in prevented" is being sent en masse -claiming- that a hijacker has attempted to access the mail recipient's Google Account. The message says that the sign-in attempt was prevented but asks users to refer to the attached file for details of the attempted intrusion. However, instead of containing information such as the IP address of the log-in attempt, the attached zip file contains a Windows executable file that will install a trojan onto a victim's system. While Google does sometimes send emails like this to users, they -never- contain attachments; users that receive such an email are advised to delete them. According to VirusTotal*, the trojan is currently only detected by just half of 42 anti-virus programs..."
* https://www.virustotal.com/file/df0b...c23a/analysis/
File name: Google_Accounts_Alert-3944-J5I-4169.zip
Detection ratio: 21/42
Analysis date: 2012-09-04 09:25:32 UTC
___

... My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff."

Last edited by AplusWebMaster; 2012-09-04 at 18:33.

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

$100 billion in losses to cybercrime

FYI...

$100 billion in losses to cybercrime ...
- http://h-online.com/-1701983
6 Sep 2012 - "According to Symantec's 2012 Norton Cybercrime Report*, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim. A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist's report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report... Around 40% of people don't use complex passwords or don't change their passwords regularly. There appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services. Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries."
* http://www.symantec.com/about/news/r...id=20120905_02
Sept. 5, 2012
___

- http://google.com/safebrowsing/diagn...sigallery.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 9 trojan(s), 1 scripting exploit(s)..."
- http://google.com/safebrowsing/diagn...e=dushare.net/
"Site is listed as suspicious... The last time Google visited this site was on 2012-09-07, and the last time suspicious content was found on this site was on 2012-09-07. Malicious software includes 2 trojan(s), 1 scripting exploit(s)..."
___

Fake BBB email phish/Spam leads to malware

FYI...

Fake BBB email phish/Spam leads to malware
- https://isc.sans.edu/diary.html?storyid=14053
Last Updated: 2012-09-09 - "We received another piece of spam... pretending to be from the Better Business Bureau. Analysis of the file transferred (W6w8sCyj.exe) from prog .it appears to be a piece of malware (Win32/Cridex.Q) use to communicates via SSL with a C&C server... List of domains/IP to watch for and block:
ajaxworkspace .com, prog .it, la-liga .ro, ejbsa .com .ar, technerds .ca, 108.178.59.12
The email looks like this:

The malicious payload is at [donotclick]blue-lotusgrove .net/main.php?page=559e008e5ed98bf7 (report here*) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack**... domains on the same server... can all be considered to be malicious... (More detail/URL list at the dynamoo URL above.)
* http://wepawet.iseclab.org/view.php?...388149&type=js
Detector Result
Jsand 2.3.4 malicious

Fake ADP emails, voice mail notifications lead to Blackhole Exploit Kit
- http://community.websense.com/blogs/...ploit-kit.aspx
13 Sep 2012 - "Since Blackhole Exploit Kit 2.0* was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email. Websense... has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit... One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com... A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters... The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version. ADP is one the largest names in payroll services... Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":
> http://community.websense.com/cfs-fi..._5F00_blur.jpg
... one of the possible redirection paths:
hxxp ://allbarswireless .com/HXwcDdQ/index.html
hxxp ://ash-polynesie .com/AjVSXvus/js.js
hxxp ://108.60.141.7 /tfvsfios6kebvras .php?r=dwtd6xxjpq8tkatb
hxxp ://108.60.141.7 /links/ differently-trace.php ...
Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message." Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":
> http://community.websense.com/cfs-fi...5F00_blur1.jpg
... redirection chain here is similar:
hxxp ://www.tryakbar .com/tLbM3r/index.html
hxxp ://sportmania .so/JP3q2538/js.js
hxxp ://173.255.221.74 /tfvsfios6kebvras .php?r=rs3mwhukafbiamcm ...
Another scheme thanks the user for signing up for a premium service. Subject lines include "Thank you for activating paid services":
> http://community.websense.com/cfs-fi..._5F00_blur.jpg
Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:
hxxp ://www.svstk. ru/templates/beez/check.php
hxxp ://bode-sales .net/main.php?page=3c23940fb7350489
And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended. Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"
> http://community.websense.com/cfs-fi..._5F00_blur.jpg
Here again, simple redirection leads to typical "/main.php?page=" type URLs.
hxxp ://kahvikuppi .org/achsec.html
hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7
Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability."
* http://community.websense.com/blogs/...es-to-2-0.aspx

ADP spam ...
- http://blog.dynamoo.com/2012/09/adp-...624937122.html
13 Sep 2012 - "... fake ADP spam tries to load malware from 46.249.37.122... After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122 /links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case."